Update lighty ssl conf - inc sync default 10-ssl.conf with that provided by lighttpd-mod-openssl pkg

JedMeister · JedMeister · commit 783a7c066e23 · 2025-10-13T10:16:07.000+11:00
diff --git a/overlays/lighttpd/etc/lighttpd/conf-available/10-ssl.conf b/overlays/lighttpd/etc/lighttpd/conf-available/10-ssl.conf
@@ -1,13 +1,15 @@
-# /usr/share/doc/lighttpd/ssl.txt (in 'lighttpd-doc' package)
+# /usr/share/doc/lighttpd/ssl.txt
+# -*- conflicts: mbedtls, gnutls, nss, wolfssl -*-
 
 server.modules += ( "mod_openssl" )
 
+# ssl.* in global scope gets inherited by
+#   $SERVER["socket"] == "..." { ssl.engine = "enable" }
+
 # Use TurnKey hardened SSL/TLS defaults for all SSL/TLS traffic.
 include "ssl-params.conf"
 
 $SERVER["socket"] == "0.0.0.0:443" {
-    ssl.engine  = "enable"
+	ssl.engine  = "enable"
 }
-
-# support for IPv6 HTTPS via Debian script (in 'lighttpd' package)
 include_shell "/usr/share/lighttpd/use-ipv6.pl 443"
diff --git a/overlays/lighttpd/etc/lighttpd/ssl-params.conf b/overlays/lighttpd/etc/lighttpd/ssl-params.conf
@@ -1,24 +1,38 @@
-# This is a shared hardened SSL conf provided by TurnKey
-# created 2021-11-11 using guidance from Mozilla Guideline v5.6
-# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.59&config=intermediate&openssl=1.1.1k&hsts=false&guideline=5.6
+# This is a custom shared hardened SSL conf provided by TurnKey
+# created 2025-20-11 using guidance from Mozilla Guideline v5.7
+# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.79&config=intermediate&openssl=3.5.1&guideline=5.7
+# By default this file is sourced by /etc/lighttpd/conf-available/10-ssl.conf
 
 ssl.pemfile = "/etc/ssl/private/cert.pem"
 ssl.privkey = "/etc/ssl/private/cert.key"
 ssl.dh-file = "/etc/ssl/private/dhparams.pem"
 
-ssl.openssl.ssl-conf-cmd = (
-    "MinProtocol" => "TLSv1.2",
-    "Options" => "-ServerPreference",
-    # ciphers set by common/conf/turnkey.d/zz-ssl-ciphers
-    "CipherString" => "ZZ_SSL_CIPHERS"
-)
+ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+# lighttpd 1.4.79 TLS default appends X448
+#ssl.openssl.ssl-conf-cmd += ("Curves" => "X25519:prime256v1:secp384r1")
 
-setenv.add-response-header = (
-    #  HTTP Strict Transport Security (63072000 seconds)
+# lighttpd TLS defaults are widely supported by clients and should be preferred.
+# See https://wiki.lighttpd.net/Docs_SSL
+# Uncomment to better match the less restricted Mozilla intermediate spec.
+# (TKL Ciphers set by common/conf/turnkey.d/zz-ssl-ciphers)
+#ssl.openssl.ssl-conf-cmd += ("CipherString" => "ZZ_SSL_CIPHERS")
+
+# HSTS config + additional hardening
+server.modules += ("mod_redirect")
+server.modules += ("mod_setenv")
+$HTTP["scheme"] == "https" {
+  # HTTP Strict Transport Security (63072000 seconds)
+  setenv.add-response-header = (
     "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
     "X-Frame-Options" => "DENY",
-    "X-Content-Type-Options" => "nosniff"
-)
+    "X-Content-Type-Options" => "nosniff",
+  )
+}
+else $HTTP["scheme"] == "http" {
+    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
+}
+
+# OCSP stapling config (disabled by default)
 
 # OCSP stapling (input file is maintained by external 'cert-staple.sh' script)
 # https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
